Authors

Document Type

Publisher

Security Research Centre, School of Computer and Security Science, Edith Cowan University, Perth, Western Australia

Comments

Originally published in the Proceedings of the 7th Australian Information Security Management Conference, Perth, Western Australia, 1st to 3rd December 2009

Abstract

A security policy which includes the appropriate phases of implementation, enforcement, auditing and review is vital to protecting an organisations information security. This paper examined the information security policy of a government organisation in response to a number of perceived shortcomings. The specific issues identified relating to the organisations security policy as a result of this investigation were as follows: a culture of ignoring policies, minimal awareness of policies, minimal policy enforcement, policy updating and review ad hoc at best, policy framework, lengthy policy development and approval process, no compliance program, no formal non-compliance reporting and an apparent inconsistent enforcement across the whole of the organisation. In response to these identified issues, the following recommendations were made to improve the information security of the organisation: changing the organisations culture, creating an awareness mechanism for policies, improving the organisations culture, create an ICT policy awareness programme, review and re-write existing policies, policy enforcement, policy compliance, policy noncompliance reporting, policy updating and review, improve the policy development and approval process, policy compliance checking and uniform policy enforcement. Whilst it is also likely that a lack of governance contributed to these issues, this aspect was not addressed in this paper. It is hoped that timely implementation of the remedies presented here will increase the organisations information security.